Menace actors are exploiting a novel assault method within the wild that leverages specifically crafted administration saved console (MSC) recordsdata to realize full code execution utilizing Microsoft Administration Console (MMC) and evade safety defenses.
Elastic Safety Labs has codenamed the strategy GrimResource after figuring out an artifact (“sccm-updater.msc”) that was uploaded to the VirusTotal malware scanning platform on June 6, 2024.
“When a maliciously crafted console file is imported, a vulnerability in one of many MMC libraries can result in working adversary code, together with malware,” the corporate stated in an announcement shared with The Hacker Information.
“Attackers can mix this system with DotNetToJScript to realize arbitrary code execution, which may result in unauthorized entry, system takeover and extra.”
Using unusual file varieties as a malware distribution vector is seen instead try by adversaries to get round safety guardrails erected by Microsoft lately, together with disabling macros by default in Workplace recordsdata downloaded from the web.
Final month, South Korean cybersecurity agency Genians detailed using a malicious MSC file by the North Korea-linked Kimsuky hacking group to ship malware.
GrimResource, then again, exploits a cross-site scripting (XSS) flaw current within the apds.dll library to execute arbitrary JavaScript code within the context of MMC. The XSS flaw was initially reported to Microsoft and Adobe in late 2018, though it stays unpatched thus far.
That is completed by including a reference to the weak APDS useful resource within the StringTable part of a malicious MSC file, which, when opened utilizing MMC, triggers the execution of JavaScript code.
The method not solely bypasses ActiveX warnings, it may be mixed with DotNetToJScript to realize arbitrary code execution. The analyzed pattern makes use of this strategy to launch a .NET loader part dubbed PASTALOADER that in the end paves the way in which for Cobalt Strike.
“After Microsoft disabled Workplace macros by default for internet-sourced paperwork, different an infection vectors like JavaScript, MSI recordsdata, LNK objects, and ISOs have surged in recognition,” safety researchers Joe Desimone and Samir Bousseaden stated.
“Nonetheless, these different strategies are scrutinized by defenders and have a excessive chance of detection. Attackers have developed a brand new method to execute arbitrary code in Microsoft Administration Console utilizing crafted MSC recordsdata.”